Hackers attacked network of the FSB contractor: they became aware of de-anonymization of Tor projects and not only
Last weekend, a number of publications simultaneously reported about hacking into the FSB contractor, Moscow-based Sytek company.
The attackers, hiding under the pseudonym 0v1ru$, posted several screenshots on Twitter (for example, screenshots of the Computer folder that allegedly belonged to the victim), and also shared the stolen data with colleagues from the Digital Revolution group.
They, in turn, also published on Twitter a number of evidence of hacking and attracted attention of the press. For example, they posted in open access a screenshot of the interface of the internal network, and next to the names of the projects (“Arion”, “Relation”, “Hryvnia”, and so on) were the names of their curators, the staff of “Sytek”.
It is reported that the compromise of “Sytek” occurred on July 13, 2019, when attackers broke into the Active Directory server, from where they penetrated to the company’s network, including access to JIRA. As a result, 7.5 TB of data were stolen, and the site was defaced, as can be seen in the illustration below.
The hackers shared documents stolen from “Sitek” with journalists of several publications, including the “Russian BBC Service”.
“We believe that the Kremlin is trying to de-anonymize Tor purely for its own selfish purposes. Under various pretexts, the authorities are trying to restrict us from being able to freely express our opinion”, – BBC wrote the Digital Revolution hackers.
From the archive, which was at the disposal of the publication, it can be concluded that the company carried out work on at least 20 non-public IT projects ordered by Russian special services and departments. It is emphasized that the papers did not contain any notes about state secrets or secrecy.
The dump also contained a quite detailed description of the Sytek projects, including:
Nautilus-S: the main task of the project is to de-anonymize users of the Tor browser. Developed in 2012 by request of the Research Institute “Kvant”, it includes the Tor exit node, through which traffic could be monitored or even changed. Interestingly, in 2014, experts from the University of Karlstad already discovered similar attacks, and some of the dangerous nodes were already linked to Russia.
Nautilus: created to collect information about users of social networks. The documents indicate the period of work (2009-2010) and their cost (18.5 million rubles). The journalists did not manage to find out if Sytek found a customer for this project. Follow the intended users of Facebook, MySpace and LinkedIn.
Award: research work, which was carried out in 2013-2014. Studied “the possibility of developing a complex of penetration and covert use of resources of peer-to-peer and hybrid networks.” The customer of this project is not listed in the documents. It seems that the experts of “Sitek” planned to find a vulnerability in the BitTorrent protocol, and the company was also interested in the Jabber, OpenFT and ED2K protocols.
Mentor: this project was related to the military unit No. 71330 (presumably, electronic intelligence of the FSB of Russia). The goal of the Mentor was to monitor email at the customer’s choice. The project was designed for 2013-2014. The “Mentor” could be set up in such a way that it checks the mail of the required respondents at a specified time interval or collects an “intellectual group of prey” according to the specified phrases.
Nadezhda: the project dedicated to creating a program that accumulates and visualizes information about how the Russian segment of the Internet is connected to the global network. The customer of the work carried out in 2013-2014 was the same military unit No. 71330.
Mosquito: another order of military unit No. 71330, which took place in 2015. Within the framework of the project, research work was carried out to create a “software and hardware complex” capable of anonymously searching for and collecting “information materials of the Internet” while hiding “informational interest”.
Tax 3: the most recent project mentioned in the stolen documents is dated 2018. It was ordered by the JSC “Main Scientific Innovation Innovation Center”, subordinate to the Federal Tax Service. Allows manually remove from the information system of the FTS data of persons under state protection (similar to witness protection program). Papers describes creation of a closed data center for persons under protection. These include some state and municipal servants, judges, participants in criminal proceedings and other categories of citizens.
The Swiss Spiez Laboratory, which specializes in the prevention of chemical, biological and atomic warfare,…
Daniel Zimmermann
Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.